Continue writing exercise 5.

data/workshop/exercise5.mdx

@@ -54,14 +54,140 @@ Use the following Python code to minify your mirror container registry pull secr
 python3 -c $'import json\nimport sys\nwith open(sys.argv[1], "r") as f: print(json.dumps(json.load(f)))' /run/user/1000/containers/auth.json
 ```
 
+> Note: For connected installations, you'd use the secret from the Hybrid Cloud Console, but for our use case, the mirror registry is the only one OpenShift will need to authenticate to.
+
 Then we can go ahead and generate our `install-config.yaml`:
 
-> Note: We are setting --log-level
+> Note: We are setting --log-level to get more verbose output.
 
 ```bash
 /mnt/high-side/openshift-install create install-config --dir /mnt/high-side/install --log-level=DEBUG
 ```
 
+The OpenShift installer will prompt you for a number of fields; enter the values below:
+
+- SSH Public Key: `/home/ec2-user/.ssh/disco-openshift-key.pub`
+> The SSH public key used to access all nodes within the cluster.
+
+- Platform: aws
+> The platform on which the cluster will run.
+
+- AWS Access Key ID and Secret Access Key: From `cat ~/.aws/credentials`
+
+- Region: `us-east-2`
+
+- Base Domain: `sandboxXXXX.opentlc.com` This should automatically populate.
+> The base domain of the cluster. All DNS records will be sub-domains of this base and will also include the cluster name.
+
+- Cluster Name: `disco`
+>The name of the cluster. This will be used when generating sub-domains.
+
+- Pull Secret: Paste the output from minifying this to a single line in Step 3.
+
+That's it! The installer will generate `install-config.yaml` and drop it in `/mnt/high-side/install` for you.
+
+Once the config file is generated take a look through it, we will be making some changes as follows:
+
+- Change `publish` from `External` to `Internal`. We're using private subnets to house the cluster, so it won't be publicly accessible.
+
+- Add the subnet IDs for your private subnets to `platform.aws.subnets`. Otherwise, the installer will create its own VPC and subnets. You can retrieve them by running this command from your workstation:
+
+```bash
+aws ec2 describe-subnets | jq '[.Subnets[] | select(.Tags[].Value | contains ("Private")).SubnetId] | unique' -r | yq read - -P
+```
+
+Then add them to `platform.aws.subnets` in your `install-config.yaml` so that they look something like this:
+
+```yaml
+platform:
+  aws:
+    region: us-east-1
+    subnets:
+    - subnet-00f28bbc11d25d523
+    - subnet-07b4de5ea3a39c0fd
+    - subnet-07b4de5ea3a39c0fd
+```
+
+- Next we need to modify the `machineNetwork` to match the IPv4 CIDR blocks from the private subnets. Otherwise your control plane and compute nodes will be assigned IP addresses that are out of range and break the install. You can retrieve them by running this command from your workstation:
+
+```bash
+aws ec2 describe-subnets | jq '[.Subnets[] | select(.Tags[].Value | contains ("Private")).CidrBlock] | unique | map("cidr: " + .)' | yq read -P - | sed "s/'//g"  
+```
+
+Then use them to **replace the existing** `networking.machineNetwork` entry in your `install-config.yaml` so that they look something like this:
+
+```yaml
+networking:
+  clusterNetwork:
+  - cidr: 10.128.0.0/14
+    hostPrefix: 23
+  machineNetwork:
+  - cidr: 10.0.48.0/20
+  - cidr: 10.0.64.0/20
+  - cidr: 10.0.80.0/20
+```
+
+- Next we will add the `imageContentSources` to ensure image mappings happen correctly. You can append them to your `install-config.yaml` by running this command:
+
+```bash
+cat << EOF >> install-config.yaml
+imageContentSources:
+  - mirrors:
+    - $(hostname)/ubi8/ubi
+    source: registry.redhat.io/ubi8/ubi
+  - mirrors:
+    - $(hostname)/openshift/release-images
+    source: quay.io/openshift-release-dev/ocp-release
+  - mirrors:
+    - $(hostname)/openshift/release
+    source: quay.io/openshift-release-dev/ocp-v4.0-art-dev
+EOF
+```
+
+- Add the root CA of our mirror registry (`/mnt/high-side/quay/quay-install/quay-rootCA/rootCA.pem`) to the trust bundle using the `additionalTrustBundle` field by running this command:
+
+```bash
+cat <<EOF >> install-config.yaml
+additionalTrustBundle: |
+$(cat /mnt/high-side/quay/quay-install/quay-rootCA/rootCA.pem | sed 's/^/  /')
+EOF
+```
+
+It should look something like this:
+
+```yaml
+additionalTrustBundle: |
+  -----BEGIN CERTIFICATE-----
+  MIID2DCCAsCgAwIBAgIUbL/naWCJ48BEL28wJTvMhJEz/C8wDQYJKoZIhvcNAQEL
+  BQAwdTELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAlZBMREwDwYDVQQHDAhOZXcgWW9y
+  azENMAsGA1UECgwEUXVheTERMA8GA1UECwwIRGl2aXNpb24xJDAiBgNVBAMMG2lw
+  LTEwLTAtNTEtMjA2LmVjMi5pbnRlcm5hbDAeFw0yMzA3MTExODIyMjNaFw0yNjA0
+  MzAxODIyMjNaMHUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJWQTERMA8GA1UEBwwI
+  TmV3IFlvcmsxDTALBgNVBAoMBFF1YXkxETAPBgNVBAsMCERpdmlzaW9uMSQwIgYD
+  VQQDDBtpcC0xMC0wLTUxLTIwNi5lYzIuaW50ZXJuYWwwggEiMA0GCSqGSIb3DQEB
+  AQUAA4IBDwAwggEKAoIBAQDEz/8Pi4UYf/zanB4GHMlo4nbJYIJsyDWx+dPITTMd
+  J3pdOo5BMkkUQL8rSFkc3RjY/grdk2jejVPQ8sVnSabsTl+ku7hT0t1w7E0uPY8d
+  RTeGoa5QvdFOxWz6JsLo+C+JwVOWI088tYX1XZ86TD5FflOEeOwWvs5cmQX6L5O9
+  QGO4PHBc9FWpmaHvFBiRJN3AQkMK4C9XB82G6mCp3c1cmVwFOo3vX7h5738PKXWg
+  KYUTGXHxd/41DBhhY7BpgiwRF1idfLv4OE4bzsb42qaU4rKi1TY+xXIYZ/9DPzTN
+  nQ2AHPWbVxI+m8DZa1DAfPvlZVxAm00E1qPPM30WrU4nAgMBAAGjYDBeMAsGA1Ud
+  DwQEAwIC5DATBgNVHSUEDDAKBggrBgEFBQcDATAmBgNVHREEHzAdghtpcC0xMC0w
+  LTUxLTIwNi5lYzIuaW50ZXJuYWwwEgYDVR0TAQH/BAgwBgEB/wIBATANBgkqhkiG
+  9w0BAQsFAAOCAQEAkkV7/+YhWf1vq//N0Ms0td0WDJnqAlbZUgGkUu/6XiUToFtn
+  OE58KCudP0cAQtvl0ISfw0c7X/Ve11H5YSsVE9afoa0whEO1yntdYQagR0RLJnyo
+  Dj9xhQTEKAk5zXlHS4meIgALi734N2KRu+GJDyb6J0XeYS2V1yQ2Ip7AfCFLdwoY
+  cLtooQugLZ8t+Kkqeopy4pt8l0/FqHDidww1FDoZ+v7PteoYQfx4+R5e8ko/vKAI
+  OCALo9gecCXc9U63l5QL+8z0Y/CU9XYNDfZGNLSKyFTsbQFAqDxnCcIngdnYFbFp
+  mRa1akgfPl+BvAo17AtOiWbhAjipf5kSBpmyJA==
+  -----END CERTIFICATE-----
+```
+
+Lastly, now is a good time to make a backup of your `install-config.yaml` since the installer will consume (and delete) it:
+
+```bash
+cp install-config.yaml install-config.yaml.bak
+```
+
 
 ## 5.2 Running the installation